HN2new | past | comments | ask | show | jobs | submitlogin

People should not rely on that to any degree more than they would rely on colocated processes on a VM being isolated. The easiest way to be safe is to assume that all containers are already broken out of - what would you do then? Make sure processes are running as non-root, use various protection layers (pick your poison - SELinux, gresecurity, etc.), take away capabilities, and don't run workloads you don't trust.


I’m not saying they should, but they are. And given the fact that containers are often marketed as “lightweight VMs”, I’m Not very surprised by that.


In this case the analogy is apt - VM isolation is also not very secure - the exploits like row hammer are usually more heavyweight though.


sure, any Xen guest escape receives equal amounts of press for exactly that reason: It's an isolation barrier breaking down. However, trivial exploits breaking VM isolation have been relatively rare lately.


People most definitely should not but very much are expecting a level of isolation between containers that does not exist.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: